VMAN + ACL

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hello!

Have scheme:
Cisco (vman tag) -> (port24 vman tag) Extreme X440 ( port 23 vman untag) -> CheckPoint
BUT CheckPoint work in passive mode (only receive traffic), also I can't see MAC of CheckPoint, so traffic don't go to port 23 (X440 don't know whom send it)

May be ACL with action <redirect-port) can help in this situation?
But for what vlan/port I have to map this ACL?

Thank you!
Photo of Alexandr P

Alexandr P, Embassador

  • 12,764 Points 10k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hi Alexandr, what about creating an static FDB/ARP entry pointing to the checkpoint?
Photo of Alexandr P

Alexandr P, Embassador

  • 12,764 Points 10k badge 2x thumb
In this case to this port only will be forwarded traffic which have MAC-dst is Checkpoint, but I need all traffic have to be forwarded there.

For now I think 2 variants:
1- to do mirror, like:
#create mirror test3001

#configure mirror add vlan Int3001

#enable mirror to port 21 <which connected CheckPoint>
 
2- to do ACL, with match condition vlan-id (is present in EXOS 15.7), and some variants of actions:

redirect-name name—Specifies the name of the flow-redirect that must be used to redirect

matching traffic.

redirect-port port—Overrides the forwarding decision and changes the egress port used.

mirror—Rules that contain mirror as an action modifier will use a separate slice.

What is your thoughts about this points?

Thank you!

(Edited)
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Do you want to redirect all traffic (all vlans) or an specific vlan?

If you want to redirect an specific vlan traffic then I believe you should use "cvid" match-condition to match the inner-Vlan ID and then "redirect-port 21"

Regarding the mirroring, I'm not sure if there is any limitation when mirroring an inner-vlan. A lab might be good to confirm that.
Photo of Necheporenko, Nikolay

Necheporenko, Nikolay, Employee

  • 1,600 Points 1k badge 2x thumb
configure access-list redirect-all ports 24 ingress

Policy: redirect-all
entry one {
if match all {
vlan-id 77 # vman outer tag }
then {
    permit  ;
    count all ;
    redirect-port 23 ;
}
}
Number of clients bound to policy: 1
(Edited)
Photo of Alexandr P

Alexandr P, Embassador

  • 12,764 Points 10k badge 2x thumb
Hello, Nikolay!

I need to redirect unpacked vlan (vlan without outer vman tag)

Thank you!
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Did you try disable learning vman VmanName ?

--
Jarek
Photo of Alexandr P

Alexandr P, Embassador

  • 12,742 Points 10k badge 2x thumb
You think in this case all traffic will be directly forward to port 23?
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi ,

Sorry for delay.
Yes it should send all traffic from vman to port 23.
I have tested with vlan and it works.
I think with vman will be the same behavior.

--
Jarek